← Home

IEC 62443-3-2 Clause 4.7 – Document Requirements, Assumptions and Constraints

ISA/IEC 62443-3-2:2020, Clause 4.7 covers documenting cybersecurity requirements, assumptions and constraints as zone and conduit requirement ZCR 6.

ZCR 6 turns assessment outcomes into a usable design package: the cybersecurity requirements specification (CRS). The CRS records mandatory countermeasures from the detailed assessment plus policy, site and regulatory expectations needed to achieve each zone’s SL-T. It need not be a single standalone file — a section inside other IACS design documents can suffice if the content is there.

Teaching note: The summaries below paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-3-2:2020, Clause 4.7
Related: Zone, Conduit and Risk Assessment (Clause 4) | ZCR 5 – Detailed Risk Assessment | ZCR 7 – Asset Owner Approval

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7


Requirements in this ZCR


ZCR 6 – Document cybersecurity requirements, assumptions and constraints

Reference: ISA/IEC 62443-3-2, Clause 4.7

ZCR 6.1: Cybersecurity requirements specification

Clause: 4.7.2

Summary
Create a CRS that records mandatory security countermeasures for the SUC based on the detailed risk assessment, plus general security requirements from company or site-specific policies, standards and applicable regulations. As a minimum the CRS shall include the content required by ZCR 6.2 through ZCR 6.9.

Clear documentation keeps owners, integrators and suppliers working from the same target. ISA technical reports on related CRS content can supplement — they do not replace the minimum list in Part 3-2.

ZCR 6.2: SUC description

Clause: 4.7.3

Summary
Include a high-level description and depiction of the SUC: name, function, intended use, and a description of the equipment or process under control. Illustrations of data and process flows strengthen the description.

ZCR 6.3: Zone and conduit drawings

Clause: 4.7.4

Summary
Produce drawing(s) that show zone and conduit partitioning for the whole SUC, and assign every asset to a zone or a conduit.

ZCR 6.4: Zone and conduit characteristics

Clause: 4.7.5

Summary
For each zone and conduit, document at least: unique name/ID; accountable organisation(s); logical boundary; physical boundary where applicable; safety designation; logical and physical access points; data flows per access point; connected zones/conduits; assets with classification, criticality and business value; SL-T; applicable security requirements; applicable security policies; and assumptions plus external dependencies.

Those fields exist for design, accountability and monitoring: they mark who owns the partition, where traffic enters, what would be lost if it fails, which SL-T and policies apply, and what outside factors (power, outer networks, physical layers) the design assumes. Final security-requirement lists typically wait until the detailed assessment in ZCR 5 is complete.

ZCR 6.5: Operating environment assumptions

Clause: 4.7.6

Summary
Document the physical and logical environment where the SUC sits or will sit — site layout, rooms, cabling, site security plans, networks, protocols and interfacing OT/IT systems, plus supporting utilities and safety systems that shape the operating context.

ZCR 6.6: Threat environment

Clause: 4.7.7

Summary
Describe the threat environment affecting the SUC, naming intelligence sources and covering both current and emerging threats (CERTs, ICS-CERT, ISACs, suppliers, advisories, government agencies, commercial threat feeds, and similar).

ZCR 6.7: Organizational security policies

Clause: 4.7.8

Summary
Include in the CRS the countermeasures and features that implement the organisation’s security policies so baseline policy is not lost when the system is designed.

ZCR 6.8: Tolerable risk

Clause: 4.7.9

Summary
State the organisation’s tolerable risk for the SUC inside the CRS so designers and approvers work to the same acceptance bar.

ZCR 6.9: Regulatory requirements

Clause: 4.7.10

Summary
Record any cybersecurity regulatory requirements that apply to the SUC so compliance obligations travel with the design package.

Key Takeaways